Related Tags

EU cookie law: ICO to contact 50 UK websites about compliance

The Information Commissioner’s Office will write to 50 top UK websites this week to find out what actions have been taken towards compliance with the new EU e-Privacy Directive.

During a press briefing last week the deputy commissioner and director of data protection David Smith declined to reveal which businesses were included on the list, but confirmed that site traffic was one of the criteria.

The websites in question will have 28 days to respond to the ICO’s letter.

While this may cause an administrative headache for the businesses involved, it will come as good news to many that the ICO does not plan to levy fines for breaches of the EU cookie law.

How will the ICO enforce the directive?

The new law, which comes into affect this week after a period of grace, gives the ICO the power to fine companies up to £500,000 for breaches of privacy regulations.

But Smith, said the ICO was not “suddenly going to launch a torrent of enforcement action,” and that it would use formal warnings rather than fines to encourage websites to comply.

There would also be flexibility with when businesses became fully compliant with the new regulations, as the ICO understands that businesses have development cycles and can't suddenly redesign their sites:

It’s most unlikely that breaches of cookie requirements will meet the criteria that we have to satisfy before we can impose fines. It would have to be a serious breach and it has to be likely to cause substantial damage or distress to individuals.

He said that the ICO’s enforcement approach is to do with risk to people’s privacy, and the more intrusive the cookie is, the more likely it is to risk sanction. The level of penalty imposed will be worked out using a scale.

Tracking cookies for behavioural advertising are considered more intrusive, while analytic cookies are at the lower end of the scale.

If all they’ve got is website analytics it’s not all that likely that they will end up facing enforcement action from the ICO as we have a lot of other priorities before we’d ever get to them.

However, Smith was also quick to point out that businesses shouldn’t simply ignore the new cookie law because the ICO was adopting a fairly soft approach to enforcement.

Moving towards compliance

While the ICO has been in discussions with businesses about plans for compliance, many are unhappy that it has failed to say exactly what compliance will look like. Thus, many websites are unsure of the measures they should be taking.

The ICO’s own website is compliant with the cookie law, but Smith said it is not a model of how things should be done.

There are probably much more imaginative and user-friendly ways of getting consent.

The ICO is hoping that the industry will take the lead in coming up with best practice solutions and educating consumers about the new law. Group manager for business & industry Dave Evans said it would be “strange and naïve” for the ICO to think it was better placed to educate consumers than major websites.

Instead businesses should be looking to educate users and obtain consent “in a way that fits in with what you do.”.

We don’t want to be telling people how to run their business. We want to give people guidance on where they should be aiming and then they can come up with the best way to get there.

He said once consumers get used to seeing consent solutions it will become easier for the ICO to give advice to other businesses.

As rather than describing compliance we can direct them to these websites to see how they are doing it properly. Also, if lots of people in a particular sector are doing good things, then the people who are doing nothing are going to stand out.

Why comply at all?

If, as the ICO says, it will not aggressively enforce the directive and fines are unlikely, why would businesses risk losing users/sales/analytics insight etc by implementing consent mechanisms?

I think there's a lot to be said for educating users about the information that is used by websites, and more detailed privacy policies are welcome. However, businesses will wonder why they should add a strict compliance solution and risk higher bounce rates when there is no guarantee that competitors will do the same.

We put this question to David Smith:

You shouldn’t do nothing and hope you get away with it. We’ve said all along that this should be a targeted approach so businesses should review what they’ve got and look at where the privacy intrusion is the greatest and act on that area.

I would say to businesses that you are in a competitive market, you are in an area where trust and confidence is important, and your competitors are doing things. So if you’re the one who is seen not to be doing anything then you are taking a big risk and not just an enforcement risk.

Businesses have to make their judgements and take their decisions, and in doing that the more intrusive a cookie is the more likely it is to engage our attention. If all they’ve got is website analytics it’s not all that likely that they will end up facing enforcement action from the ICO as we have a lot of other priorities before we’d ever get to them, but what I can’t say is that that would be legally compliant, but they have to make their decisions.

Comments (16)

It'll be like avoiding the Sunday Times Rich list. Everyone will hope to rank in place #51!

over 5 years ago

Steve Morgan, Freelance SEO Consultant at Morgan Online Marketing

"I would say to businesses that you are in a competitive market, you are in an area where trust and confidence is important, and your competitors are doing things. So if you’re the one who is seen not to be doing anything then you are taking a big risk and not just an enforcement risk."

Forgive me for saying this, but: Rubbish! Not when I'd wager than 90%+ of consumers probably aren't aware of the legislation, what it is and how it affects them. The majority of marketers will be aware of it (because it affects them), but not your average Joe Websurfer.

The thing I don't like is that sites that DON'T comply stand to benefit (so long as they don't get fined), especially when you're talking about small business websites (which - by the sounds of it - probably won't get fined)...

If Site A complies and has a pop-up, but the visitor just abandons the site (after all, we've been trained to know that pop-ups are a bad, annoying thing, haven't we?), then goes to Site B which doesn't comply (and so don't have a pop-up or message of any sort), they might be more likely to stay on - and buy from - the latter website. In other words, the bad guys stand to do better out of it. For a business in a "competitive market" - as Mr. Smith puts it - I'd call that a bit of a turn-off, wouldn't you?

@Steve - this is the problem. If it isn't going to be strictly enforced why would any site do any more than 'just enough' and risk losing sales/traffic to competitors?

over 5 years ago

Simon West, Chairman at Nett Sales LLP

Legislators power over the businesses they legislate is inherently "big stick". "I'm going to beat you with this if you don't do what I want you to do".

Having a legislator say "you should do... but I'm not going to beat you if you don't" is crazy. Especially as Steve has pointed out, there is commercial competitive advantage in not complying.

It's not up to legislators to tell businesses what the business case is for complying - they set the rules and beat up those that don't comply.

I can just imagine the discussion in a boardroom:

MD: So, Mr website manager, you want a budget of £50K to make our website less attractive, put off customers but make us compliant with legislation that is not going to be enforced?

Website manager: Er... yes!

over 5 years ago

Mike

The only reason why the ICO aren't fining people is because the UK government haven't covered their own asses. Frankly, I'd be surprised if they were all compliant within the year.

This move makes it hard for huge businesses to justify the price hit that putting an opt-in on cookie will bring. The big hitters are set to lose out on a lot of money from this as older visitors are likely to be confused by this new popup and will instinctively block cookies.

This will be an expensive and costly mistake, and the ICO will be smart to abandon this as soon as possible. If they had any common sense they would have gone after the major browser vendors to formulate a browser-based policy.

I think you have to read between the lines here. Any Government that doesn't transpose EU Directives risks significant fines. The UK Government has to be seen to implement the law but in conjunction with the regulator wants to take a business friendly approach. The UK as the leading European digital market also wants to set a 'light touch' standard for other markets to emulate. Therefore they're walking a tricky fine line. I think this is a 'damned if you do, damned if you don't' situation: big stick and you're accused of heavy handed external interference, hands off and you're criticised for lack of prescription.

I've always found the ICO to be approachable, honest and pragmatic in my dealings with them. There is a very clear 'read between the lines' sentiment in what they're doing. Best practice will out in the end, hopefully in a way that is non-intrusive yet raises consumer awareness across the board ultimately leading to the prevailing concept of 'implied consent'.

Bashing the ICO really doesn't help: they want to work with digital marketers, not against them.

@Mike, a browser-based policy was discussed at the meeting, but in order for it to work it requires the user to actually take some action (i.e. it's not compliant in the eyes of the law if the browser comes with pre-defined cookie settings). Also, users may want to allow different websites to drop different cookies, so setting blanket rules for all your web browsing wouldn't work.

As such, the ICO said that while browser settings may be part of the solution, it will still require action from websites to get consent from users.

over 5 years ago

Irfan Malik, Founder at Strategy1

Regarding Cookie compliance, I would suggest having a look at the FT website. More about educating the site visitor and putting the onus on them to disable cookies if they so wish (by providing instructions for browsers). I think this is the way to go, because if a user does disable cookies at browser level, chances are the quality of their 'surf' will be diminished. So in all likelihood will go back to their existing cookie level. I never thought I'd say it but, 'well done FT'

I completely agree with protecting peoples privacy, however the use of Google Analytics should be an exemption - as this is anonymous data - it's no different from a shop taking stats on the percentage of customers walking into their shops who are male or female, or 28% of customers bought blue jeans rather than grey etc etc.

It is not intrusive in anyway to someones personal privacy - Analytics is an essential tool for web marketers and companies to see how successful there websites are and if they can improve on their sites - no one will tick Yes to a cookie - making all Google Analytics information becomes a write off - bit daft!

The principle of the law is correct in the fact the consumer has a right (if interested) to know what cookies are being used and more importantly what the information is being used for.

If we can consider there is a clear difference between Cookies used for the purpose of enhancing the user journey or simple analytics's and cookies use to track users even after they have left the website, why cant the law make this distinction and not blanket all cookies with the same rules.

Surely this will be much more logical to differentiate between the tpes of cookies so the public as Steve says are not put off websites that comply.

Having gone over the cookie law with a lawyer, we found it was loosely worded and seemed to be a temporary measure until web browsers were updated so people had to opt in to accepting cookie from the browser rather than the website.

Enjoying this article?

Get more just like this, delivered to your inbox.

Keep up to date with the latest analysis, inspiration and learning from the Econsultancy blog with our free Digital Pulse newsletter. You will receive a hand-picked digest of the latest and greatest articles, as well as snippets of new market data, best practice guides and trends research.